Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

issue with vpn_gateway and amazon_side_asn #5263

Closed
dhermans opened this issue Jul 20, 2018 · 13 comments · Fixed by #5441 or #5291
Closed

issue with vpn_gateway and amazon_side_asn #5263

dhermans opened this issue Jul 20, 2018 · 13 comments · Fixed by #5441 or #5291
Labels
bug Addresses a defect in current functionality. service/ec2 Issues and PRs that pertain to the ec2 service.

Comments

@dhermans
Copy link

Hi team,
thanks for terraform - it's awesome

I'd like to bring to light an issue with this commited PR:
#1888

This PR quite correctly limits the acceptable ASN that can be added in this field to match the console.
This is in line with the AWS direct connect Faq:
https://aws.amazon.com/directconnect/faqs/

If you are using a private ASN, it must be in the 64512 to 65535 range.

Amazon implemented this change (without warning except the FAQ page update) on July 1. All good - we found a new ASN in the acceptable range and can create new VPN gateway using that ASN.

The issue is that the we have MANY vpn_gateway created before 1 July that use the prior 'default' Amazon peering ASN of 7224

terraform can no longer update these 'pre July 1' stacks due to the now invalid ASN:

Error: module.xxx-vpc.aws_vpn_gateway.xxx-vgw: "amazon_side_asn" ("7222") must be in the range 64512 to 65534 or 4200000000 to 4294967294

We can't easily change the ASN as that will cause an outage while the direct connect peering is changed.

Can the provider be amended to accept 7224 if the vpn_gateway already exists ( as this was the old amazon default and there may be many peers using this ) and enforce 64512 to 65534 on create?

Thanks!

cc: @ewbankkit

@ewbankkit
Copy link
Contributor

ewbankkit commented Jul 20, 2018

@dhermans For these existing VGWs with the 7224 ASN did you terraform import them? I'm just trying to work out how you got to code with amazon_side_asn = 7224.

@bflad bflad added bug Addresses a defect in current functionality. service/ec2 Issues and PRs that pertain to the ec2 service. labels Jul 20, 2018
@heycasey
Copy link

If you use the AWS console and create a VGW and choose the "Amazon default ASN", it will set the ASN to 64512. Therefore, it looks like setting a VGW to 7224 is no longer allowed. Therefore, even if the resource was modified so that 7224 would be an accepted value, I'm guessing that AWS would still reject the request.

@dhermans
Copy link
Author

@ewbankkit hi
all our VGW were created with terraform 0.8.8 and without specifying an ASN (u couldn't in that ver of course) . if i import a VGW created with 0.8.8 with 0.11.5 I correctly get:
"attributes": {
"amazon_side_asn": "7224",

If i then 'plan' the imported TF code then it fails validation

Seems messy but i could get around it with a 'pre 1 july' module which doesn't specify the ASN and a different module which does for 'post 1 July'

  • hence my query that maybe terraform could accept 7224 on EXISTING VGW but block 7224 on CREATE? not sure it's structured that way - or maybe just let AWS barf out as it won't accept it either.

@heycasey hope it's clearer? i'm not trying to create a VGW with 7224, you're right - Amazon won't allow it. I'm wanting the same terraform module to manage VGW created before / after 1 July (if possible)

@ewbankkit
Copy link
Contributor

OK, I understand the situation. We probably need to handle both 7224 and 9059 ASNs as these are both Amazon reserved.
This should be fixable by using a CustomizeDiff function in place of the ValidateFunc for amazon_side_asn.

@dhermans
Copy link
Author

@ewbankkit thanks! standing by to test

@rbadillo
Copy link

rbadillo commented Jul 23, 2018

@ewbankkit When is this fix planned to be merge into master? or how can I fix it for now locally ?

@bflad bflad added this to the v1.30.0 milestone Jul 30, 2018
@bflad
Copy link
Contributor

bflad commented Jul 30, 2018

Accepting the legacy 7224 and 9059 ASNs for the aws_vpn_gateway resource has been merged into master and will release with version 1.30.0 of the AWS provider, likely middle of this week.

@NickGrande
Copy link

Could you also extend the logic to accept the legacy 17493 and 10124 ASN values? Those were the default assigned ASNs for VGWs in Singapore and Tokyo prior to 2018-06-30 (documented in the Note under the Virtual Private Gateway section).

If you create your virtual private gateway before 2018-06-30, the default ASN is 17493 in the Asia Pacific (Singapore) region, 10124 in the Asia Pacific (Tokyo) region, 9059 in the EU (Ireland) region, and 7224 in all other regions.

@bflad
Copy link
Contributor

bflad commented Aug 2, 2018

Seems reasonable -- I'll reopen this issue

@bflad bflad reopened this Aug 2, 2018
@bflad bflad removed this from the v1.30.0 milestone Aug 2, 2018
@ewbankkit
Copy link
Contributor

I should be able to address this tomorrow.

@rbadillo
Copy link

rbadillo commented Aug 2, 2018

So, this ticket is not planned to be in v1.30.0 ?

@bflad
Copy link
Contributor

bflad commented Aug 2, 2018

9059 and 7224 are allowed in version 1.30.0 -- 17493 and 10124 will likely land in version 1.31.0 next week.

@ghost
Copy link

ghost commented Apr 4, 2020

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!

@ghost ghost locked and limited conversation to collaborators Apr 4, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
bug Addresses a defect in current functionality. service/ec2 Issues and PRs that pertain to the ec2 service.
Projects
None yet
6 participants